[wp-hackers] Magic Quoting removal Road Map/Plan

Jari Pennanen ciantic at oksidi.com
Fri Jun 10 16:00:16 UTC 2011


Here is a quick take on the matter as code (only for _POST as example):


 * Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
 * Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
 * or $_ENV are needed, use those superglobals directly.
 * @access private
 * @since 3.0.0
function wp_magic_quotes() {
    global $WP_ORIGINAL_POST;

    // If already slashed, strip.
    if ( get_magic_quotes_gpc() ) {
        $_GET    = stripslashes_deep( $_GET    );
        $_POST   = stripslashes_deep( $_POST   );
        $_COOKIE = stripslashes_deep( $_COOKIE );

    // Original non quoted

    // Escape with wpdb.
    $_GET    = add_magic_quotes( $_GET    );
    $_POST   = add_magic_quotes( $_POST   );
    $_COOKIE = add_magic_quotes( $_COOKIE );
    $_SERVER = add_magic_quotes( $_SERVER );

    // Force REQUEST to be GET + POST.
    $_REQUEST = array_merge( $_GET, $_POST );


 * Return original POST without magic quoting
 * @param false|string $key Key, if not given whole POST is returned
 * @param mixed $default Default value if key is not found
 * @return mixed Returns the value or default value if key is not found
function wp_get_post($key=false, $default=null) {
    global $WP_NONQUOTED_POST;

    if ($key === false) {
        return $WP_NONQUOTED_POST;
    return isset($WP_NONQUOTED_POST[$key]) ? $WP_NONQUOTED_POST[$key]
: $default;

2011/6/10 Jari Pennanen <ciantic at oksidi.com>:
> Hi!
> 2011/6/10 John Blackbourn <johnbillion+wp at gmail.com>:
>> That's fine, but you're straying from the issue at hand. If functions
>> like this were implemented we are still left with the $_GET and $_POST
>> superglobals that are currently quoted. The issue is that we cannot
>> remove quoting from these variables because it introduces a security
>> vulnerability for every plugin and theme that's been written up until
>> this point. If we can't remove quoting from the superglobals, this is
>> a fruitless exercise.
> No sir. If everyone starts to use new API we can get rid of $_GET and
> $_POST quoting. Get it? We must push everyone to use new API and when
> in distant future, future of PHP6 maybe, we can get rid of this _GET
> _POST quoting etc.

More information about the wp-hackers mailing list